Introduction

An OCSP Must-Staple certificate can improve revocation handling, but it also makes HTTPS less forgiving when stapling is missing or stale. The certificate may still look valid, yet some browsers reject the site because the server failed to include the expected OCSP response during the TLS handshake. That turns a hidden stapling problem into a visible outage. The fix is to confirm that the server can fetch, cache, and present fresh OCSP data reliably.

Symptoms

  • Browsers show certificate or secure connection errors on a site with a valid certificate
  • The issue appears on some clients even though HTTPS works elsewhere
  • TLS tests report missing, invalid, or stale OCSP stapling
  • The problem started after renewing a certificate or changing servers
  • Users can reach the site intermittently depending on browser or network path

Common Causes

  • The web server does not support OCSP stapling correctly for the active certificate path
  • The server cannot reach the OCSP responder to fetch a fresh stapled response
  • Cached OCSP data expired and was not refreshed in time
  • A new certificate was deployed without matching stapling configuration
  • Reverse proxies or TLS termination layers handle the certificate differently than expected

Step-by-Step Fix

  1. Confirm the certificate includes Must-Staple expectations and that the failure is specifically related to OCSP stapling.
  2. Check whether the active TLS termination layer is the one expected to fetch and serve the stapled OCSP response.
  3. Review web server stapling settings and confirm they are enabled on the exact certificate path handling live traffic.
  4. Test whether the server can reach the OCSP responder over the network, because firewalls or egress rules can block refreshes.
  5. Inspect server logs or TLS diagnostics for expired, missing, or invalid stapled responses.
  6. Verify that the recently deployed certificate, intermediate chain, and stapling cache all belong to the same live configuration.
  7. Reload the affected service after correcting stapling settings so a fresh OCSP response can be fetched and attached.
  8. Re-test from external tools and real browsers to confirm the site now presents a valid stapled response consistently.
  9. Keep certificate renewal, chain deployment, and OCSP stapling settings documented together so future renewals do not trigger another trust failure.